Using the RunAsHighest Fix

This section includes information about using the RunAsHighest compatibility fix, including usage and associated issues.

RunAsHighest

The RunAsHighest compatibility fix causes an application to elevate to the highest available token, and will cause the User Account Control (UAC) elevation prompt to appear if the current context is not already elevated and an elevated, linked token exists. If the user has only one token, either for Standard User or if UAC is disabled, then the current context will be used. The RunAsHighest fix overrules both installer detection and manifest processing, and will determine the elevation state for the entire application after it is applied.

Important

The RunAsHighest compatibility fix should only be applied to applications that offer advanced functionality for more powerful users, but can still work for Standard Users without the advanced functionality. For example, the Windows® Registry Editor (regedit.exe) runs as HighestAvailable, which means that it only elevates the current context when run by a member of the Administrators group, but still provides a read-only view of the registry for users who are not members of the Administrators group.

Investigating the Issue

The RunAsAdmin compatibility fix should be considered as a possible resolution if the advanced functionality appears when you right-click the executable (.exe) file, and then click Run as administrator.

Intercepted APIs

None. This compatibility fix does not intercept any APIs, instead it applies a loader flag to the application.

Fixing Your Code

You can remedy this issue by designing your application specifically to run for Standard Users, or to separate out administrative tasks into clearly marked components that can be explicitly elevated.

One exception to this rule is for applications that require specific privileges, but not others. For example, the Network Configuration Operators group provides more privileges than a Standard User, but to leverage them you must use the highest available token. If, as in this situation, your application requires the HighestAvailable function, you can remedy the situation by creating a manifest for the specific application that includes the HighestAvailable function.